The conventional wisdom among many of those responsible for managing organizational FCPA risks is that the existence of a reasonably good program equates to having an ISO 37001 anti-bribery management system “covered.”
The implicit suggestion is that the requirements of the FCPA legal standard are virtually the same as the ISO 37001 business standard, or that, at a minimum, not many program changes would be required to obtain ISO 37001 certification.
I respectfully disagree; it is the rare program in my experience that requires only tweaks to bring it to ISO 37001 certification readiness.
Why are these distinctions important? In the ISO 37001 certification audit process, a major non-conformity (e.g. a requirement is found not to exist or is totally ineffective) prevents certification until correction. Programs may have undocumented practices or “unwritten rules” that are beneficial, and that support a given anti-bribery management system (ABMS) component, but these will be problematic in the certification process. An ABMS necessarily incorporates applicable legal standards, but it also has its own unique requirements (subject always to “reasonable and proportionate” considerations (4.3)).
As an initial ABMS evaluation exercise, FCPA risk managers (whether in legal, compliance, internal audit and/or operations) may thus want to test their organization’s program (and its particular facts and circumstances) by asking ISO 37001-based questions in several basic areas:
Documentation: If the proverbial three most important words in real estate are location, location and location, then the ISO 37001 equivalents are documentation, documentation, and documentation.
The standard requires that certain specifically identified information shall be documented. (7.5.1 a)), such as the anti-bribery policy (5.2) and training procedures, content and instances (7.3).
But does your company also document those other management system aspects that are more conceptual, but that are nevertheless explicitly tied to documentation, for example: information necessary for the effectiveness of the management system (7.5.1 b); the management systems scope — to include external and internal contextual issues, the needs and expectations of stakeholders and bribery risk assessment results (4.3); and, with respect to operational planning and control, information to the extent necessary to have confidence that the processes have been carried out as planned? (8.1 c)
Operationalization: ISO management systems standards (see also ISO 9001 — Quality, ISO 14001 — Environmental, and ISO 27001 — Information Security) have a process bias; the word process appears twelve times in ISO 37001’s definitions alone. (3) A primary theme of the overall standard is that anti-bribery controls are most effective when placed within company operations — preferably imbedded within the process that presents the identified bribery risk.
On this theme: does your company’s top management demonstrate leadership and commitment by ensuring the integration of ISO 37001 requirements into organizational processes? (5.1.2 b); is the bribery risk assessment reviewed (and any changes reflected in the ABMS, including its scope) when there are significant changes to the company’s structure or operations (4.5.3 b)); and, per the documentation discussion above, what are the processes involved and what documentation exists to evidence their operations?
Employees: FCPA programs have historically focused on bribery risk reduction through employee training, tone at the top emphasis and hot line access. As noted in an earlier post for the FCPA Blog, DOJ’s revised FCPA Policy is consistent with ISO 37001 in its prioritization of organizational culture, but the business standard is more granular.
In the hiring or promotion of employees to positions with more than a low bribery risk, for example, does your organization have due diligence procedures for due diligence and incentive-based compensation (to contain reasonable safeguards that do not act to encourage bribery)? (188.8.131.52 a)
Also, as part of your organization’s ABMS planning process (6), have ABMS objectives (that are communicated, monitored and (if practicable, measured)) been set at all relevant functions and levels (including within sales, contract management and other possible more than low bribery risk situations)? (6.2)
ISO 37001 certifications are about to become more commonplace in the US. Early this summer, a premier business standards accreditation body UKAS (United Kingdom Accreditation Service) is expected to accredit certain respected global certifying bodies (CBs) to conduct ISO 37001 certifications. Various U.S.-based Fortune 500 companies are waiting for these accreditation events to select a CB and begin the ISO 37001 certification process.
It may be an opportune time to challenge the (misplaced) conventional wisdom concerning FCPA programs “covering” ISO 37001, and dig into ABMS details — as the ISO 37001 certification becomes an accepted and widely-used bribery and supply chain risk management tool.
Worth MacMurray was formerly general counsel of several public IT companies, a leader within PwC’s DC anti-corruption office and is now Principal at Governance & Compliance Initiatives. He is PECB Certified as both an ISO 37001 Lead Auditor and ISO 37001 Lead Implementer. He can be emailed here.